From: Greg Kroah-Hartman Date: Fri, 13 Aug 2021 09:03:21 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.4.281~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f673d8802b74d529371a9954dbdc0b28a96bed63;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: ovl-prevent-private-clone-if-bind-mount-is-not-allowed.patch ppp-fix-generating-ppp-unit-id-when-ifname-is-not-specified.patch usb-ehci-fix-kunpeng920-ehci-hardware-problem.patch --- diff --git a/queue-4.14/ovl-prevent-private-clone-if-bind-mount-is-not-allowed.patch b/queue-4.14/ovl-prevent-private-clone-if-bind-mount-is-not-allowed.patch new file mode 100644 index 00000000000..2d765ec8441 --- /dev/null +++ b/queue-4.14/ovl-prevent-private-clone-if-bind-mount-is-not-allowed.patch @@ -0,0 +1,97 @@ +From 427215d85e8d1476da1a86b8d67aceb485eb3631 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 9 Aug 2021 10:19:47 +0200 +Subject: ovl: prevent private clone if bind mount is not allowed + +From: Miklos Szeredi + +commit 427215d85e8d1476da1a86b8d67aceb485eb3631 upstream. + +Add the following checks from __do_loopback() to clone_private_mount() as +well: + + - verify that the mount is in the current namespace + + - verify that there are no locked children + +Reported-by: Alois Wohlschlager +Fixes: c771d683a62e ("vfs: introduce clone_private_mount()") +Cc: # v3.18 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 42 ++++++++++++++++++++++++++++-------------- + 1 file changed, 28 insertions(+), 14 deletions(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1879,6 +1879,20 @@ void drop_collected_mounts(struct vfsmou + namespace_unlock(); + } + ++static bool has_locked_children(struct mount *mnt, struct dentry *dentry) ++{ ++ struct mount *child; ++ ++ list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) { ++ if (!is_subdir(child->mnt_mountpoint, dentry)) ++ continue; ++ ++ if (child->mnt.mnt_flags & MNT_LOCKED) ++ return true; ++ } ++ return false; ++} ++ + /** + * clone_private_mount - create a private clone of a path + * +@@ -1893,14 +1907,27 @@ struct vfsmount *clone_private_mount(con + struct mount *old_mnt = real_mount(path->mnt); + struct mount *new_mnt; + ++ down_read(&namespace_sem); + if (IS_MNT_UNBINDABLE(old_mnt)) +- return ERR_PTR(-EINVAL); ++ goto invalid; ++ ++ if (!check_mnt(old_mnt)) ++ goto invalid; ++ ++ if (has_locked_children(old_mnt, path->dentry)) ++ goto invalid; + + new_mnt = clone_mnt(old_mnt, path->dentry, CL_PRIVATE); ++ up_read(&namespace_sem); ++ + if (IS_ERR(new_mnt)) + return ERR_CAST(new_mnt); + + return &new_mnt->mnt; ++ ++invalid: ++ up_read(&namespace_sem); ++ return ERR_PTR(-EINVAL); + } + EXPORT_SYMBOL_GPL(clone_private_mount); + +@@ -2216,19 +2243,6 @@ static int do_change_type(struct path *p + return err; + } + +-static bool has_locked_children(struct mount *mnt, struct dentry *dentry) +-{ +- struct mount *child; +- list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) { +- if (!is_subdir(child->mnt_mountpoint, dentry)) +- continue; +- +- if (child->mnt.mnt_flags & MNT_LOCKED) +- return true; +- } +- return false; +-} +- + /* + * do loopback mount. + */ diff --git a/queue-4.14/ppp-fix-generating-ppp-unit-id-when-ifname-is-not-specified.patch b/queue-4.14/ppp-fix-generating-ppp-unit-id-when-ifname-is-not-specified.patch new file mode 100644 index 00000000000..b7acaa9cb11 --- /dev/null +++ b/queue-4.14/ppp-fix-generating-ppp-unit-id-when-ifname-is-not-specified.patch @@ -0,0 +1,109 @@ +From 3125f26c514826077f2a4490b75e9b1c7a644c42 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Sat, 7 Aug 2021 18:00:50 +0200 +Subject: ppp: Fix generating ppp unit id when ifname is not specified +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit 3125f26c514826077f2a4490b75e9b1c7a644c42 upstream. + +When registering new ppp interface via PPPIOCNEWUNIT ioctl then kernel has +to choose interface name as this ioctl API does not support specifying it. + +Kernel in this case register new interface with name "ppp" where +is the ppp unit id, which can be obtained via PPPIOCGUNIT ioctl. This +applies also in the case when registering new ppp interface via rtnl +without supplying IFLA_IFNAME. + +PPPIOCNEWUNIT ioctl allows to specify own ppp unit id which will kernel +assign to ppp interface, in case this ppp id is not already used by other +ppp interface. + +In case user does not specify ppp unit id then kernel choose the first free +ppp unit id. This applies also for case when creating ppp interface via +rtnl method as it does not provide a way for specifying own ppp unit id. + +If some network interface (does not have to be ppp) has name "ppp" +with this first free ppp id then PPPIOCNEWUNIT ioctl or rtnl call fails. + +And registering new ppp interface is not possible anymore, until interface +which holds conflicting name is renamed. Or when using rtnl method with +custom interface name in IFLA_IFNAME. + +As list of allocated / used ppp unit ids is not possible to retrieve from +kernel to userspace, userspace has no idea what happens nor which interface +is doing this conflict. + +So change the algorithm how ppp unit id is generated. And choose the first +number which is not neither used as ppp unit id nor in some network +interface with pattern "ppp". + +This issue can be simply reproduced by following pppd call when there is no +ppp interface registered and also no interface with name pattern "ppp": + + pppd ifname ppp1 +ipv6 noip noauth nolock local nodetach pty "pppd +ipv6 noip noauth nolock local nodetach notty" + +Or by creating the one ppp interface (which gets assigned ppp unit id 0), +renaming it to "ppp1" and then trying to create a new ppp interface (which +will always fails as next free ppp unit id is 1, but network interface with +name "ppp1" exists). + +This patch fixes above described issue by generating new and new ppp unit +id until some non-conflicting id with network interfaces is generated. + +Signed-off-by: Pali Rohár +Cc: stable@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/ppp_generic.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -286,7 +286,7 @@ static struct channel *ppp_find_channel( + static int ppp_connect_channel(struct channel *pch, int unit); + static int ppp_disconnect_channel(struct channel *pch); + static void ppp_destroy_channel(struct channel *pch); +-static int unit_get(struct idr *p, void *ptr); ++static int unit_get(struct idr *p, void *ptr, int min); + static int unit_set(struct idr *p, void *ptr, int n); + static void unit_put(struct idr *p, int n); + static void *unit_find(struct idr *p, int n); +@@ -977,9 +977,20 @@ static int ppp_unit_register(struct ppp + mutex_lock(&pn->all_ppp_mutex); + + if (unit < 0) { +- ret = unit_get(&pn->units_idr, ppp); ++ ret = unit_get(&pn->units_idr, ppp, 0); + if (ret < 0) + goto err; ++ if (!ifname_is_set) { ++ while (1) { ++ snprintf(ppp->dev->name, IFNAMSIZ, "ppp%i", ret); ++ if (!__dev_get_by_name(ppp->ppp_net, ppp->dev->name)) ++ break; ++ unit_put(&pn->units_idr, ret); ++ ret = unit_get(&pn->units_idr, ppp, ret + 1); ++ if (ret < 0) ++ goto err; ++ } ++ } + } else { + /* Caller asked for a specific unit number. Fail with -EEXIST + * if unavailable. For backward compatibility, return -EEXIST +@@ -3266,9 +3277,9 @@ static int unit_set(struct idr *p, void + } + + /* get new free unit number and associate pointer with it */ +-static int unit_get(struct idr *p, void *ptr) ++static int unit_get(struct idr *p, void *ptr, int min) + { +- return idr_alloc(p, ptr, 0, 0, GFP_KERNEL); ++ return idr_alloc(p, ptr, min, 0, GFP_KERNEL); + } + + /* put unit number back to a pool */ diff --git a/queue-4.14/series b/queue-4.14/series index 9d22ba39370..052a2c62d9a 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -36,3 +36,6 @@ reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch reiserfs-check-directory-items-on-read-from-disk.patch alpha-send-stop-ipi-to-send-to-online-cpus.patch net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch +usb-ehci-fix-kunpeng920-ehci-hardware-problem.patch +ppp-fix-generating-ppp-unit-id-when-ifname-is-not-specified.patch +ovl-prevent-private-clone-if-bind-mount-is-not-allowed.patch diff --git a/queue-4.14/usb-ehci-fix-kunpeng920-ehci-hardware-problem.patch b/queue-4.14/usb-ehci-fix-kunpeng920-ehci-hardware-problem.patch new file mode 100644 index 00000000000..7a2f7194dc2 --- /dev/null +++ b/queue-4.14/usb-ehci-fix-kunpeng920-ehci-hardware-problem.patch @@ -0,0 +1,42 @@ +From 26b75952ca0b8b4b3050adb9582c8e2f44d49687 Mon Sep 17 00:00:00 2001 +From: Longfang Liu +Date: Fri, 9 Apr 2021 16:48:01 +0800 +Subject: USB:ehci:fix Kunpeng920 ehci hardware problem + +From: Longfang Liu + +commit 26b75952ca0b8b4b3050adb9582c8e2f44d49687 upstream. + +Kunpeng920's EHCI controller does not have SBRN register. +Reading the SBRN register when the controller driver is +initialized will get 0. + +When rebooting the EHCI driver, ehci_shutdown() will be called. +if the sbrn flag is 0, ehci_shutdown() will return directly. +The sbrn flag being 0 will cause the EHCI interrupt signal to +not be turned off after reboot. this interrupt that is not closed +will cause an exception to the device sharing the interrupt. + +Therefore, the EHCI controller of Kunpeng920 needs to skip +the read operation of the SBRN register. + +Acked-by: Alan Stern +Signed-off-by: Longfang Liu +Link: https://lore.kernel.org/r/1617958081-17999-1-git-send-email-liulongfang@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/ehci-pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/host/ehci-pci.c ++++ b/drivers/usb/host/ehci-pci.c +@@ -311,6 +311,9 @@ static int ehci_pci_setup(struct usb_hcd + if (pdev->vendor == PCI_VENDOR_ID_STMICRO + && pdev->device == PCI_DEVICE_ID_STMICRO_USB_HOST) + ; /* ConneXT has no sbrn register */ ++ else if (pdev->vendor == PCI_VENDOR_ID_HUAWEI ++ && pdev->device == 0xa239) ++ ; /* HUAWEI Kunpeng920 USB EHCI has no sbrn register */ + else + pci_read_config_byte(pdev, 0x60, &ehci->sbrn); +